Skip to content
This repository was archived by the owner on Mar 26, 2026. It is now read-only.

chore(deps): update dependency jinja2 to v3.1.4 [security]#2026

Merged
parthea merged 1 commit into
googleapis:mainfrom
renovate-bot:renovate/pypi-jinja2-vulnerability
May 8, 2024
Merged

chore(deps): update dependency jinja2 to v3.1.4 [security]#2026
parthea merged 1 commit into
googleapis:mainfrom
renovate-bot:renovate/pypi-jinja2-vulnerability

Conversation

@renovate-bot

Copy link
Copy Markdown
Contributor

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jinja2 (source, changelog) ==3.1.3 -> ==3.1.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-34064

The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, >, or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for the previous GHSA-h5c8-rqwp-cp95 CVE-2024-22195 only addressed spaces but not other characters.

Accepting keys as user input is now explicitly considered an unintended use case of the xmlattr filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting values as user input continues to be safe.


Release Notes

pallets/jinja (jinja2)

v3.1.4

Compare Source

Released 2024-05-05

  • The xmlattr filter does not allow keys with / solidus, >
    greater-than sign, or = equals sign, in addition to disallowing spaces.
    Regardless of any validation done by Jinja, user input should never be used
    as keys to this filter, or must be separately validated first.
    :ghsa:h75v-3vvj-5mfj

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate-bot renovate-bot force-pushed the renovate/pypi-jinja2-vulnerability branch from 7e20643 to 7d92c88 Compare May 6, 2024 20:51
@renovate-bot renovate-bot requested a review from a team May 6, 2024 20:51
@trusted-contributions-gcf trusted-contributions-gcf Bot added kokoro:force-run Add this label to force Kokoro to re-run the tests. owlbot:run Add this label to trigger the Owlbot post processor. labels May 6, 2024
@product-auto-label product-auto-label Bot added the size: xs Pull request size is extra small. label May 6, 2024
@gcf-owl-bot gcf-owl-bot Bot removed the owlbot:run Add this label to trigger the Owlbot post processor. label May 6, 2024
@parthea parthea merged commit e8713d8 into googleapis:main May 8, 2024
@renovate-bot renovate-bot deleted the renovate/pypi-jinja2-vulnerability branch May 8, 2024 17:49
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

kokoro:force-run Add this label to force Kokoro to re-run the tests. size: xs Pull request size is extra small.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants